Sharing a Netflix Password Technically Makes You a Criminal

While it is unlikely that anyone would face federal charges for borrowing or sharing a Netflix password, recent court rulings of the CFAA, the federal anti-hacking law, imply that seemingly simple actions could make someone a felon.

Do you stream Netflix on your own account or are you borrowing a password from a friend? How closely did you read your favorite social media sites’ Terms of Service? Are you sure you aren’t violating them?

Last Wednesday, September 14, the Charles Koch Institute, along with the Electronic Frontier Foundation (EFF), brought together panelists from EFF, the Center for Democracy & Technology (CDT), and Red Branch Consulting to discuss the Computer Fraud and Abuse Act (CFAA) and its implications for increased overcriminalization.

The evening began with a quick introduction from Charles Koch Institute senior research fellow and moderator for the night, Vikrant Reddy. Using examples such as helping deer on the side of the road and catching oysters at the wrong time of year, Reddy explained that overcriminalization occurs when the federal government classifies a broad range of ordinary activities as federal crimes. Over the course of the night’s discussion, the panelists described how overcriminalization relates to the CFAA, a criminal and civil law, because of the vague language it uses to describe authorization. When open to such broad interpretation, many everyday activities could become federal crimes.

Jamie Williams, Frank Stanton Legal Fellow at EFF, described the conditions under which the CFAA was formed. Partially inspired by the 1983 techno-thriller War Games, Congress became concerned about how hacking could potentially endanger U.S. national security. As a result, Congress enacted the CFAA in 1986, during the early stages of the internet.

At its core, the CFAA prohibits individuals from accessing computers without authorization. However, Williams noted, Congress used vague wording because lawmakers were uncertain about the impact the internet would have on society.

Critical court cases have exposed the issues and flaws with the CFAA’s vague wording. The most recent case, United States v. Nosal (2011), further highlights the need for clarity. Speaking on the questions of password sharing and authorization that the Nosal case raised, Gabe Rottman, deputy director of the Freedom, Security, & Technology project at CDT, argued that “there’s no limiting principle” when it comes to the CFAA, meaning average citizens can unknowingly become felons.

Offering an in-depth legal perspective, Paul Rosenzweig, principal at Red Branch Consulting, stated that the odd construction of the CFAA “leaves the definition of authorization empty of statutory meaning,” causing the scope of intent to fall to private citizen actors as opposed to a federal power.

Furthermore, Rosenzweig argued for the need to clearly define intent, stating, “Criminal law is intended to be definite … it is intended to give people a reasonable understanding of what is prohibited. Here, you can’t know what is criminal.”

Put simply, the CFAA has two large flaws. First, its vague wording makes it difficult to interpret whether a person has permission or “authorization” to access a computer. Second, it does not include a definition of intent, opening up the possibility that people could accidentally become criminals.

Rottman also warned that the CFAA could create a chilling effect for researchers working to improve information and protect against hacks, since their methods could potentially violate what the CFAA views as authorization.

Intent, as well as authorization, were both key terms that dominated the evening’s conversation, leading Reddy to ask the panelists how the CFAA impacts mens rea. Rosenzweig explained that ignoring mens rea, or the idea that a criminal act means willfully or intentionally doing something wrong, could lead to overcriminalization. In order to prevent this, the CFAA needs to clearly define criminal action as something that is done with the express the intent of accessing a computer in order to steal information or cause harm.

The conversation then moved to the penalties of the CFAA. As Williams explained, “The penalties are why it’s so crazy. … A first time violation can be one to five years, the second, 10 to 20 years.” In terms of accidental crimes, the mandatory minimums the CFAA sets could only contribute to the problems faced in the criminal justice system.

Williams said that although some progress has been made in the courts, the CFAA still produces inconsistent results: “We need Congress to step in and modify the law to fit where we are today … it needs to be adaptive to changes in technology.”

As technologies change and grow, more issues regarding criminal justice are likely to arise. In order to understand these issues and work toward solutions, the Charles Koch Foundation supports research related to criminal justice and policing reform, as well as technology and innovation.

More Blog Posts

09-02-2020 01:00pm

How Market-Based Management® cultivates a contribution mindset

The Koch Associate Program (KAP), a year-long opportunity that blends professional development with real work experience, works with early-career professionals who want to discover their passions, develop their unique talents, and jumpstart their careers as social entrepreneurs.

Read more

08-28-2020 01:00pm

How families and students — not institutions — are innovating education

We recently spoke with Adam Peshek, a Charles Koch Institute senior fellow, who covers a range of education policy issues, from education choice to innovative learning models.

Read more

08-18-2020 02:26pm

Customizing K-12 education to meet the individual needs of students and families

CKI's Lisa Snell offers her perspective on how the ongoing pandemic may affect education, challenges of our current educational system, and how she’d like to see a “permissionless” system.

Read more

Sign up for updates